Colorado Positioned to Become Next Frontrunner in Comprehensive Privacy Regulation
This week, the Colorado House of Representatives passed a new state privacy bill by a vote of 57-7. This bill resembles the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA), granting consumer privacy rights to Colorado consumers.
Senate Bill 21-290 features expansive consumer rights and strict compliance requirements for businesses. The bill would provide consumer rights such as the right to request that data be disclosed, deleted, or corrected, the right to opt-out of the sale or sharing of data, and a right to nondiscrimination. The bill also requires that covered businesses obtain consumer consent before collecting sensitive personal information.
The bill applies to companies that conduct business in Colorado or produce commercial products or services targeted to Colorado residents and either: (a) control or process the personal data of 100,000 or more consumers during a calendar year or (b) derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. Unlike the CCPA, this bill does not contain a monetary threshold for applicability.
Under the bill, a “consumer” is an individual who is a Colorado resident acting in an individual or household context. Like the CCPA and CDPA, the Colorado bill broadly defines “personal data” as information that is “linked or reasonably linkable” to an identified or identifiable individual. The special category of “sensitive data” covers any personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, sex life or sexual orientation, citizenship, genetic or biometric data, and personal data from a known child.
Unlike the CCPA and CDPA, the Colorado bill specifically prohibits the use of “dark patterns.” A dark pattern is a user interface designed to subvert or impair user autonomy, decision-making, or choice by pushing consumers to take steps they did not intend to take such as purchasing or signing up for something.
Like the CDPA, the Colorado bill does not provide a private right of action for consumers. Instead, the bill gives enforcement authority to Colorado’s Attorney General and district attorneys. The bill also provides a 60-day right to cure, giving businesses time to remedy potential violations before any action is taken against them.
The bill will now go before Governor Polis who will have thirty days to sign or veto the bill. If the bill becomes law, it will go into effect on July 1, 2023.
For further information about Colorado’s privacy bill or privacy laws in general, please contact John Landolfi, Christopher Ingram, Christopher LaRocco, Sarah Boudouris, Gretchen Rutz, Joe Jakubowski, or your Vorys attorney.